Databases Reference
In-Depth Information
Casper framework is composed by two components: a
location anonymizer,
which is responsible for perturbing the user location until user's privacy pref-
erences are satisfied, and a
privacy-aware query processor,
which is responsible
for the management of anonymous queries and cloaked spatial areas.
Anonymity-based techniques have also been exploited to guarantee
path
privacy
protection [17, 18, 19]. In particular, path privacy involves the pro-
tection of users that are in motion and are continuously monitored during a
time interval. This research field is particularly relevant for location track-
ing applications designed and developed for devices with limited capabilities
(e.g., cellular phones), where data about users moving in a particular area are
collected by external services. Gruteser et al. [17] propose a solution to path
privacy protection by means of
path anonymization functions
. The authors
argue that the association of a single or multiple pseudonyms, which change
over time, with a user is not sucient to provide path privacy protection.
Privacy provided by pseudonyms can be actually subverted by applying an
inference process that gathers path information, such as the place a user stays
during the night. Therefore, since it is dicult to provide strong anonymity
for path protection because it would require the existence of several users
traveling along the same path at the same time, Gruteser et al. provide two
techniques that guarantee a “weaker anonymity”, meaning that users could
potentially be linked to their identities but at price of huge computational
efforts. The first technique relies on
path segmentation,
which partitions a
user's path in a set of smaller paths changing, at the same time, the associ-
ated pseudonym. The second technique relies on
minutiae suppression
that
suppresses those parts of a path that are more distinctive and could bring to
an easy association between a path and an identity. The suitability of these
techniques is highly dependent on the density of users in the area in which
the adversary collects location samples. In areas with low density of users,
an adversary has a good likelihood of tracking individuals, whereas in areas
with many overlapping paths, linking segments to identities can be extremely
dicult.
Other proposals consider path protection as a process whose outcome must
be managed by a service provider and consequently privacy techniques have
to preserve a given level of accuracy to permit a good quality of service pro-
visioning. Gruteser and Liu [18] present a solution based on the definition
of a
sensitivity map
composed by sensitive and insensitive zones. Sensitive
zones are those area where the users prefer to hide their visits. The work de-
fines three algorithms aimed at path privacy protection:
base
,
bounded-rate
,
and
k
-area. Among the three, the
k
-area algorithm stands out, giving the
best performance in terms of privacy, and minimizing the number of loca-
tion updates suppression. In particular, the
k
-area algorithm is built on top
of sensitivity maps that are composed of areas containing
k
sensitive zones.
Location updates of a user entering a region with
k
sensitive areas are tem-
porarily stored and not released. If a user leaving that region has visited at
least one of the
k
sensitive areas, location updates are suppressed; they are
